Bitcoin Forum

A recent blog post from Xapo called “What happens if Xapo gets hacked?” the company discusses the unfortunate Bitfinex heist that took place on August 2, 2016. Xapo says that if they were compromised the company would cover the losses from its own reserve. This is a glaring difference to the many exchanges that failed to reimburse their customers.

It will be interesting to see how Bitfinex fares after their losses as it was the biggest Bitcoin exchange heist since the demise of Mt Gox. It’s safe to say exchanges that don’t pay their customers back in full will discourage new users from entering the Bitcoin space.

https://news.bitcoin.com/bitcoin-reimburse-losses-stay-alive/

if xapo would cover losses of a hack with their own reserve. then i have 2 questions

1. why are they not securing customers funds in the same manner as their own reserves, for them to think customers funds could be lost but their reserves could not be

2. why if customers funds are just as secure as their reserves, would xapo think that their reserves would not also be taken, ni which case there are no funds left to cover customer losses.

in my eyes its either customer funds are not as secured... which needs to be fixed
or
xapos own funds are highly secure just like customer funds.. which case xapo needs another layer of security incase both pots are raided

:D
anyone can say that customer funds are secure.
bitfinex said customer funds are secure by 3 methods
1. multisig with keys on different businesses/services (hot or cold more secure than standard transaction keys in single location)
2. cold store of 99%
3. insured by bitgo

but on the day of the "hack" all three failed
so nothing offers me any comfort that xapo in a scenario of a hack would not have their own funds at risk. or if their own funds are more secure than customer funds. you have to ask WHY!!.

Talk is cheap.

Now this is a really good question :D


Exactly... Advertising their service this way is also cheap too.

Another question is how can Xapo be certain its own reserve is enough to cover hacked customer funds? I doubt Bitfinex had a reserve big enough to cover the customer funds it lost. Most companies pay their shareholders the lions share of their profits, they don't save enough to cover huge losses. Most banks don't save enough to cover huge losses, and why should Xapo be different?

www.tuxexchange.com intends to take a significant portion of trading fees from each coin offered and build a reserve fund. We will publish the reserve addresses.

you can always make promises but who said they are going to keep them for example if xapo were hacked and lost 120KBTC will they still keep their promise and reimburse their customers? bitfinex and all those other exchanges that were hacked were also saying "we are safe and you have nothing to worry about"

they can have it if the company have a insurance. i think this will work if a insurance company accepted them because they have a huge profit. hahaha. but if a lot of money is involved , for example 100k btc. i don't think it is legit. because it is easy to run and make again a new company than giving reimbursed for the loss of their investor.
establishing new company is not a big deal seems they have a lot of funds to for promotion. haha

If I am the Xapo owner I would say that too. But will it be done once it happened? We dont really know. Maybe they should try to be hacked to see if it is real.  ;D

Agreed. I still can't wrap my head around Bitfinex's solution, they're making customers who were not affected by the hack pay for damages when they should be working to reimburse those who lost coins in the hack in full.




I would think the answer to this is pretty obvious, because they can't. They simply don't have the same amount of control over their customers' funds as they do over their own. Customers must be able to withdraw their funds whenever they choose, which unavoidably creates weaknesses. Their own reserves they can keep completely offline cut off from all access.

the title is right and if the companies reimburse their users because of the owner's fault it helps them keep their business but the cost will be so high in cases that the hack is huge like bitfinex.
also it is funny how xapo used this hack to advertise their own service with the help of bitcoin.com!

That is great news. I really like my xapo wallet. Don't forget that multiple wallstreet firms are involved with bitcoins. They definitely have the pocket money to cover any xapo hacks.

Those are big words, coming from Xapo, the question is, will they honor that promise when $80 000 000 and higher gets stolen? They might have insurance to cover losses like this, but I should think that something like that, must cost a fortune every month.

Let's see if they will honor that promise. ^smile^

Yeah,right.And what happens when Xapo reserves get hacked? ;D

Maybe Xapo customers will reimburse Xapo for their lost reserves.

Just kidding. ;D

just like their statement,they'll pay and cover the losses by their own reserves,if their reserves get hacked,i guess they have other reserves in form of fiat and not bitcoin,just say they have a backup money,it's indeed a marketing language to attract other exchanger's customer to get into xapo service but if this statement really true,atleast not bullshit,it's good

Another question is how long will Bitfinex last in their pretension that everything will be ok according to them? I do not think they can continue unless some other company buys the owners out and infuse capital injection in the company. I also cannot believe the owners of Bitfinex are running away with it with no legal demands from their customers. So they just accepted the tokens given to them?

but how can then reimburse users of losses this big. the hacks are always in a very huge amount. for example in case of bitfinex it was nearly 120,000BTC which was worth about 72,000,000 USD at the time of the hack. now my question is how can a company like xapo or exchanges like finex pay back this much money and not go bankrupt?

and more importantly do they really have this money in their reserve to pay back? in other words they have to have 240,000BTC stored to lose 120,000 and still have 120,000 to pay back. are these companies really this rich?
- I doubt it.

if this happen with xapo, then they are really want to cover it? i just don't sure about this, because bitfinex that had been hacked would not covers all the funds. but i hope xapo will prove their word if someday they got hacked.

No way most companies are capable of covering the losses of their customers in case of a hack if it is a major one.

A couple hundred thousand may be recovered if volume remains high enough, but millions? I don't see that happening, expect for maybe poloniex with the crazy volumes (most at 0% maker fees probably though) they are seeing on some of the altcoins.

If it happens, either investers are going to cough it up, or the service will file bankrupcy.. or it will pretend nothing happened for a year like cryptsy..

Sooner or later true insurance companies will come. But I think that they are scared by the current carelessness and stealing hidden under so bad "hacks".
Xapo delivers nice words and I hope we will not get to see if they are true or not... But you can't argue that they found a good niche for some more advertising.

Your right, it is concept called hot wallet when you need the Bitcoins transactions to be send in real time. So the transactions signing is eighter on online computer, or not, but the result is the same - immediatelly signed transaction broadcasted over internet, which you can potentially exploit.

I dont know whether Xapo can have reserves to cover the potential loses though, the most often used Xapo service is just online wallet and it is completly free to their users.

People will choose the company that they think there money will be safe. It would be the same case like in banks wherein the deposits are insured and any losses incurred by the bank will be their loss not their customers. So, in bitcoin companies, its their mistake or complacency so they should not let their customers bear the losses that they incurred. It's hard to earn back the customers trust after what happened and then they added more pain by letting the customers bear the loss so it would really hard for the company to earn back the people's trust again.

I don't think there is need of insurance companies for bitcoin projects. What making exchangers getting hacked is their own negligance over security systems and weak management of their reserves. And even insurance company can't be expected to be immutable towards hackers.

This words from Xapo may only remain as nice talk/statement, real test will be if they also go through similar hack as of other exchangers.

There is definitely no need for insurance companies, and even if there were there would be a ton of incredibly high rates just because of the risk of having to cover the losses of exchanges or whatever other business is just an insane undertaking and could become very costly very quickly.

Im sure there is an untapped market on this matter. Granted, the whole point of Bitcoin and its major strength is the fact that you control the asset and no body else can touch them, but a lot of people are scared of taking self responsibility so something like this will find its market eventually.

Insurance would increase Bitcoin's credibility, because whether you agree or not, old businessmen read about hacks and see there's no insurance, though we know that most of the hacks are negligence or inside job.
And insurance companies will have to enforce some rules to exchanges and so on to reduce the change of "hack" as much as possible, else they'll go bankrupt quick.

That sums it up pretty neatly. Xapo just wants to absorb as much of the disappointed user base of Bitfinex as possible. What's interesting is that Xapo implicitly admits a difference between the funds stored by its users and its own reserves. The security seems to be weaker for the former...

Apparently, Xapo uses a hot / cold wallet method or something comparable. As we have seen in the past, this is no guarantee for the security of reserves if the associated (human) security architecture is weak. After all, Bitfinex incurred massive losses, because the funds were stolen (internally?) from a multisig-setup that was meant to improve security.

You can't reimburse users from "reserves" if your reserves have been stolen.

ya.ya.yo!

xapo cold stores for some monster whales so if they're hacked it really, really ain't gonna be pretty. I assume they must be hyper anal about this stuff and bitfinex will up that even more.

we all know what it takes to be completely secure. there's no reason for a guy being super protective over his 0.1 btc to be secured better than a giant corporation.

No sane person would guarantee safety for your funds unless they take a considerable percentage as insurance payment.
So bitcoin/crypto currencies or anything at all if you want to be sure it's safe they take money and only if time comes and they get robbed they will then refund you 100% otherwise it's a risk you have to accept when you enter.

Exactly.
Without answering these questions it is just advertising, Nothing more.

Because the exchange must be able to process withdraw request. The reserves are not hot (and should be stored offline).

you do realise that ANYONE can have one server that holds NO private keys but instead has a database
this database just stores requests.
EG
USER12345 requests 0.01 to 1Ar4nd0mAdDress verification: adjsfhskfhjfhljkhasfhlsakjdfhsalkjf

then on a separate system unknown to the server. because the server not making an outbound API call to any known destination.. or doing anything requiring logging the other system.. this separate system can look in. and read this database and process the requests as and when it sees new request.. by looking in remotely. rather then a web server pushing data out. things get a little more secure.

we no longer live in the 1980's where reading a database takes minutes. but milliseconds. so the difference between having the keys on a server, and having the keys on a separate system is about a few miliseconds in actually moving funds when a customer requests it. which those miliseconds are meaningless in regards to block times of ~10minutes anyway.

as for securing the database, like i said by not communicating out(no outgoing API call), the server does not reveal the IP address that has the keys. also by adding a few basic security things you can sense if the database is being tampered with from within this could signal to the host to do something
where requests requires a verification code that can only be signed by the users sessionID(not a bitcoin private key) or some other crypto proof the intended users made the request. amungst other things can all reduce weak points.
well nothing is fool proof but if you add enough layers you can slow down a hacker long enough to spot him.
but either way its alot better then stupidly having a basic script that stores the private keys on the webserver and immediately processes withdrawals without checks

This configuration still allows for the hot wallet to be depleted (there is still a connection to the wallet via database). You don't need the keys to steal the funds at that point.

It's one thing to make a statement in media about reimbursing losses due to heists. It's another to make the claim official by including it as part of their terms of service or as part of an insurance statement. When Xapo makes this part of their official policy and as a guarantee to those using their services, then the claim will have merit. Until then, it's just something to garner some attention.

compared to private keys stored on the webserver. which can be a 5 second copy and paste hack.
having to tweak a request database. compare users to funds, add a fake request and also add a valid verification request is more layers of security.

the web server doesnt even need the public sessionid(or other cryptographic id) of the user validation because the web server does nothing.

the separate system can verify balances check signatures of the user validation(by this i dont mean a bitcoin private key, but some other cryptographiic id). so the hacker cannot really fake a request either.

even things like 2factor authentication where the "answer" is not saved on the web server.
and its the hidden server that pushes a 2FA to the customer and then reads the database again to see some response.

like i said. nothing is ever perfect. but adding layers and not having everything stored on one "honeypot" web server is just grossly negligent

Agreed.

two factor is out the window if the web server is hacked.

You can make it harder and hope to detect malicious behaviour, but you're in serious trouble if someone's on the web server.

but you mitigate the "trouble" by decreasing the valuable information stored on the web server.
basically just making the web server a GUI.. and a hidden remote system is the engine
then its not "serious trouble" but just "potential trouble", which good security and many layers (as ive said several times) makes trying to hack the webserver near usely and timely to attempt.

If thats the case that they can reimburse their custumer its a great company that can pay loses from other company.. 
Honestly xapo right is not good wallet i have old wallet there and i know the password and pins but the problem the receive codes or pi is always incorrect.
So i will never trust their world that they can reimburse to their costumers..

It depends on how much bitcoins do they leave in the hot wallet or in the 'cold' wallet because recovering tens of millions of dollars is not easy and can not be recovered in a short period of time.
I don't like to see this kind of statements from big companies but if they say that have a huge reserve capital then lucky them and lucky their users.

if the recovery plan is based on trading fee's recouping losses.. then lets take bitfinex for instance
they have done $4.5m in volume today based on https://coinmarketcap.com/exchanges/bitfinex/
which at a 0.3% fee (0.1% take 0.2%make) works out at $13.5k in fee's
even if they ploughed every penny of the fees into making everyone whole. its still 5,300+ days (upto 15 years at current volume) to actually make people whole again

so bitfinex for example better have some reserves. or can buy the debt back at pennies to the dollar as a settlement agreement with their creditors/debtee's(customers) or they are in for a world of hurt

after all
lets pretend they never needed to spend any money on wages, offices, servers, etc over the last 2 years, just so they could build up a reserve.
checking* they had an average $6million trade volume a day* ($20k fee) it would have still taken them 10 years to rake in enough reserves to have $72m.
*2 year average from stats

knowing they actually were spending fee's on business costs over the last couple years. there is no way they have reserves to cover the loss and no way they can make anyone whole again in the next couple years using future fee income either.

not unless some numpty buys the business valued at (-)72mill for a single $1. and puts in the other 72m to make customers whole again.
.. knowing that at their best years (prior to hack) it would take 10 years to just get 72m in fee's before business cost deductions. i cannot see any numpty investing 72m to make customers whole..
or as i said not unless they can settle with their creditors/debtees(customers) with a pennies on the dollar settlement.

All their staff and employees didn't volunteer for 10 years to cover the loss, but I think that they have got any investor which invested there and those funds can cover the loss.
I don't know what have they planned and how will they deal in the future, increasing the fees? or any other extra service which can generate income.

Xapo claims to have bought the most secure cold storage ever by having an actual physical cold stored bunker in some weird place in the middle of some mountains or something like that. If those guys get hacked too it would be a disaster, no way they would recover. Bitcoin can recover of anything at this point, but it would suck.

After all its all about trust and goodwill. I don’t have even a 0.001% hope that Bitfinex will reimburse any amount to those who lost their funds. In fact I read that Bitfinex is going to utilize funds of those depositors who were not affected by the hack. This is something like taking our of one’s pocket and giving it to another, that’s not fine in my opinion. Accidents are part of life but precaution control’s damage.

ive done some investing and in no way would any investor invest in anything that has stats to suggest 10 year break even.

even if you have a percentage ownership/control of the company you are still hoping for positive returns within 2 years. or without controling interest (treating it more like a loan) then the sooner the better

no one invests long term unless there is real (instant profit) collateral up for grabs that can be sold easily.
EG banks do the magic money creation for a mortgage agreement at a real world cost of 5% and then charge the mortgagee 190% over 10-30years knowing the end result is 5% cost upfront with either a house to sell if they default or 190% if the mortgage pays off. win win..

a few years ago IT companies had 'offers' of upto 70x the businesses value.. but recently there has been a correction in that insanity (bar a few exceptions)

if bitfinex was to offer me 50% control of bitfinex, id laugh at them. they are in no way worth $72million of any investors money. if anything $3million for 50% control would be a tempter.

sorry but i just cannot see bitfinex getting bailed out by investors, or having the reserves to cover losses.
the only scenario i see playing out is trying to settle the debt at pennies to the dollar

Xapo also claims that they will compensate their customer in case of hack and their customer will not lose anything. I think this is just a marketing tactics.
If ever Xapo get hacks then we shall see a different recreation from their team as they cant give lost bitcoins to customers from their own pocket.

How are they going to reimburse people's losses? These services are in competition with each other, and they will do and say anything to capitalize on the situation to gain more market share. Xapo was

a faucet heaven in the beginning and then they pushed out all those users in favor of KYC/AML regulations. I will not believe anything they say. If you want to reduce your losses, just stop storing huge

amounts of coins on these services.  ;)

On a different note, this is probably why some people wants to push for tighter regulations of exchanges.

even the companies that does not cover the losses continues working and people are making more deposit. look at the trading volume in bitfinex and you can see people still use the site so far

they can tell it like it and in my opinion there are two great factors as selling points:

1. their say as it will attract user to use their services

2. because this does not happen with xapo so they can just say it like that but when it get hacked will there be any guarantee that we can ask them to Reimburse our losses.

Basically, this. Every business that acts as custodian of your bitcoins is going to tell you that they will cover any losses. Bitfinex covered all losses when it was hacked previously. It's true until it isn't. I doubt Xapo controls 120k BTC, but if they ever lost that amount, I assure you they wouldn't be covering the loss. They would probably go straight into receivership.

The thing is the exchanges are earning high and the security level should be the best and with bitfinex we  see again companies dont think about any possible hacker skilled. I believe just poloniex were able to repay their costumers the ammount hacked in the past, since then i dont see any problem at their, sure they are paying atleast 30% of what they earn, but security issue its a must to any business holding several bitcoins.

It’s really not surprising. Customers trust companies that care. I would stick with a company if they gave back what was stolen due to an error on their end. The fact that it is bitcoin makes it even more important. Many people want security with bitcoin and by reimbursing people for their losses that helps to build invaluable trust.

How do you identify the companies that will give you back the stolen money?
The only one that I know is Xapo which made a public announcement but which another company behaves the same?

such services want to ease the minds of their customers and those customers want to hear exactly that. but what happens if something goes wrong is a different story. it is easy to break a promise or interpret it differently ;)
just be aware of the risks and act accordingly.   

you are right, in my opinion regulations should be huge because if this will not happen then there might be more and more problems with them

Since they can't be held legally to act on that statement, it really doesn't help.
Plus they may not have enough reserves to actually refund customers if they were hacked.
So the question of whether they intend to refund customers is moot.

Haha ok and if my house burns down the insurance company will replace everything within the house. Oh except this isn't covered, and that and this other thing. But in the end 8-18 months later you'll definitely have 40-80% of your funds back (assuming it wasn't your fault your house burned down!)

Or: You could not smoke in bed next to your oily rag collection.

Why wouldn't they just secure their funds better? Banks have had such strict rules for centuries but these clowns get hacked left right and centre in an economy/ community that's completely focused on security. What a clusterfuck.

WHAT WOULD HAPPEN IF XAPO GOT HACKED (https://blog.xapo.com/what-would-happen-if-xapo-got-hacked/) From this article Xapo guarantees that their users will not lose any money.
I haven't seen any other company or exchange which made a similar statement about their reserves and if they planned any plan B in case of any hack.

I still retain my stand that exchanges need to be insured, should a hack occur, the customers will not feel it.

When banks are robbed, customers do not pay for the robbery.

I think that XAPO has a lot more growing to do and they way they are approaching their work, they are going to have a long life to live.  They actually seem to care about their customers and I am glad to hear something like this come from them.  I am glad I have a wallet with them.